OSSEC: Ubuntu 18.04

From OnnoWiki
Jump to navigation Jump to search

Install Pendukung

sudo su
apt update
apt -y install build-essential make zlib1g-dev libpcre2-dev libz-dev libssl-dev libevent-dev

Download & Install

sudo su
cd /usr/local/src
wget https://github.com/ossec/ossec-hids/archive/3.6.0.tar.gz
tar zxvf 3.6.0.tar.gz 
cd /usr/local/src/ossec-hids-3.6.0
./install.sh


Cuplikan Proses Instalasi

CATATAN: Sebagian besar cukup tekan ENTER


  • Pilih Bahasa: [en]
OSSEC HIDS v3.6.0 Installation Script - http://www.ossec.net

You are about to start the installation process of the OSSEC HIDS.
You must have a C compiler pre-installed in your system.

 - System: Linux ubuntu 4.15.0-20-generic
 - User: root
 - Host: ubuntu

ENTER

1- What kind of installation do you want (server, agent, local, hybrid or help)? 

server
hybrid

2- Setting up the installation environment. 

ENTER [/var/ossec]

3- Configuring the OSSEC HIDS. 

 3.1- Do you want e-mail notification? (y/n) [y]: ENTER 
  - What's your e-mail address? email@address.anda
  - We found your SMTP server as: smtp.server.anda
  - Do you want to use it? (y/n) [y]: ENTER 
 3.2- Do you want to run the integrity check daemon? (y/n) [y]: ENTER
  - Running syscheck (integrity check daemon).
 3.3- Do you want to run the rootkit detection engine? (y/n) [y]: ENTER
 3.4- Active response allows you to execute a specific 
      command based on the events received. For example,
      you can block an IP address or disable access for
      a specific user.  
      More information at:
      http://www.ossec.net/en/manual.html#active-response       
  - Do you want to enable active response? (y/n) [y]:  'ENTER
    - Active response enabled.

  - By default, we can enable the host-deny and the 
    firewall-drop responses. The first one will add
    a host to the /etc/hosts.deny and the second one
    will block the host on iptables (if linux) or on
    ipfilter (if Solaris, FreeBSD or NetBSD).
  - They can be used to stop SSHD brute force scans, 
    portscans and some other forms of attacks. You can 
    also add them to block on snort events, for example.
  - Do you want to enable the firewall-drop response? (y/n) [y]: ENTER

    - firewall-drop enabled (local) for levels >= 6
  - 
     - 127.0.0.53
  - Do you want to add more IPs to the white list? (y/n)? [n]: ENTER

 3.5- Do you want to enable remote syslog (port 514 udp)? (y/n) [y]: 
  - Remote syslog enabled.
 3.6- Setting the configuration to analyze the following logs:
   -- /var/log/auth.log
   -- /var/log/syslog
   -- /var/log/dpkg.log
- If you want to monitor any other file, just change 
  the ossec.conf and add a new localfile entry.
  Any questions about the configuration can be answered
  by visiting us online at http://www.ossec.net .



Fast way steps:

1- Run the script ./install.sh. It will guide you through the 

  installation process.

2- The script will create everything in /var/ossec and try to 

  create the initialization script in your system (/etc/rc.local
  or /etc/rc.d/init.d/ossec). If the init script is not created,
  make sure to follow the instructions from the install.sh to make
  OSSEC HIDS start during the boot. To start it by hand, just run
  /var/ossec/bin/ossec-control start

3- If you are running it on multiple clients, make sure to install 

  the server first. Use the manage_agents tool
  to create the right encryption keys.

4- Enjoy.

Pranala Menarik

Retrieved from "https://onnocenter.or.id/wiki/index.php?title=OSSEC:_Ubuntu_18.04&oldid=60557"